We would like to announce the general availability of Adobe Acrobat Reader integration with Microsoft Information Protection solutions – which we originally announced in September Your feedback during the development of this integration was both insight and useful. You can download the new Adobe Acrobat Reader that supports Microsoft Information Protection capabilities at the following location

Figure 1: Page to download the Adobe integration Plug-in

Installation instructions

Prior to downloading the latest Adobe Acrobat, please make sure that your labels are visible in the Security and Compliance center UI @ https://protection.office.com . If the labels are visible and are published by a label policy from the Security and Compliance center, the Adobe Integration will function.

Note: The instructions on how to replicate your existing AIP labels to Security and Compliance center is at the following link

After you have validated the label being visible in the Security and Compliance center, please proceed to download your Adobe Acrobat Reader from the Adobe site. Once you have installed the Reader then please proceed to the link and download the integration plug-in for installation. Please make sure that you close the Adobe Acrobat solution prior to installing the plug-in, otherwise it will not work.

If have an older installation then please make sure to read the general terms of use and uninstall any old Reader and plug-in installation before installing the new reader and the plug-in. The integration works with the 2019.010.20064 version of Acrobat Reader DC and Acrobat DC. Please do not use the plug-in with an earlier version of Acrobat.

After you have installed the plug-in, please try to label and protect a PDF document using the Azure Information Protection client and then open with Adobe Acrobat Reader that has the integration enabled.

Organizations with restrictive install permissions within their tenant

In case you receive the following error as shown in Figure 2, when opening the secure PDF document with Adobe, It is due to the fact that the tenant administrator in your organization does not want users to authorize applications within your organizations tenant . This is an additional security measure that your tenant administrator might have enabled .

Figure 2: Admin Consent page that shows if you have not authorized the Adobe applications

In such cases, please have your tenant administrators consent to the Adobe Acrobat App-id which is as follows:

cad2910c-3b55-4610-ba7e-dda581063c91

Once the administrative consent happens, then you should be ready to consume protected PDF content via Adobe’s Acrobat Reader. If you would like to understand what consent flows are, please read the information at the following link:

Viewing the label ribbon when PDF is labeled or labeled and protected

Create a DWORD value name called : bShowDMB with a Hexadecimal value of 1

Figure 3: Label banner on a PDF

That will allow the ability to view the label ribbon within the Acrobat interface

Issues in viewing labels with Adobe Reader

Even after making the changes in registry you are not seeing the labels. Then the issue could be the following:

Have your labels been replicated from the AIP portal to Security and Compliance center?

Have you published your labels to the users in your tenant from the Security and Compliance center?

If your answer is no, to the above questions, then you will not see the labels. The Adobe integration is enabled with Microsoft Information Protection and the policies for those labels comes the Security and Compliance center at https://protection.office.com

Please check if your AIP labels manifest within Security and Compliance center and if they are visible then please make sure that your labels are published.

If you have done the above steps please make sure that the registry entry for the label banner is done as Adobe\Acrobat Reader\DC and not under Adobe\DC

if you're seeing this issue on multiple machines or a specific machine? - We tried on 2 PCs.

if you've tried on just one machine can you please try on another machine and let us know the behavior? - same as on my machine - same on the other PC.

what's the environment of the affected machine (i.e. physical/virtual, operating system etc)? - They are all Win 10 laptops, physical machines

if the behaviour is specific to multiple PDFs or a single PDF? - the issue is for all PDFs. The solution was supposed to protect documents on SharePoint Online site. It has IRM activated, so documents are allowed to print only, but not emailed, downloaded, modified etc.. It works on Word documents, but not on PDFs

if you've protected the PDF with a custom label and if yes, please try opening a PDF which has been protected with one of the pre-configured labels (e.g. Confidential/All Employees). - Sorry for my ignorance - how to protect a PDF? Using Azure Information Protection client? I thought uploading the document to SP site with IRM activated will protect it automatically... Shall I install Azure Information Protection client and protect the PDF before uploading it to SP?

Also - can I set up the label applying to be applied while uploading documents to that SP site?

if you can share the screenshot of Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP from the affected machine? - Screen shot of registry is attached below. Please note that key was not created while installing Adobe or the plugin. I created it manually.

while opening the PDF, do you receive an email dialog? And then a password dialog? - No I do not receive any dialog. Adobe PDF reader opens straight away with "This PDF file is Protected..." message. There is no label ribbon in Adobe Acrobat Reader - see the screenshot below.

if you can open the same PDF with all protection removed? - Not sure what you mean.. Before I upload that document to SP site, I could open without problems. I Cannot if I open the document from the SP Site. Also I can open the original document stored on my laptop.

I am not sure whether the whole set up is done correctly. I.e. I have labels published in tenant Security and Compliance center. So far I do not see a way to apply a label to a document - the IRM protection seems to be applied to Office docs and PDFs by uploading the file to a site where IRM is active, but I do not see labels to either PDFs or Office docs..

Do I need to install Azure Information Protection client on my laptop and apply the label to the PDF before uploading to that site? In order to apply the label?

So perhaps start from scratch - list of items to install, and in what order...? Bare in mind - all that is needed for a SPOnline site containing sensitive documents..for the time being.

When I try to log in with the email from my domain I get 401 unauthorized page. If I log with a external test gmail account I get an error "User account from identity provider does not exist in tenant 'Adobe Inc' and cannot access the application. This account needs to be added as an external user in the tenant first." If I close the box it will allow me to access the pdf file, the bookmark titles are missing but can still view the content and click on the bookmarks. On my domain account it just closes the pdf file.

Step 1Step 2Step 3

In the Azure portal I see two sign in from my domain account one successful one interrupted. My gmail only show one successful.

Same ID Successful same time.

AFAIK all the permissions are there.

FYI: AIP Viewer and Foxit Reader work just fine viewing the document.

Also, is there anyway to undo the auto sign in? Now that I've signed in with my gmail account I can't find a way to sign out so I can test my domain account.

Thanks @Rajneesh_Chavli. Couldn't get much easier than that, I don't know how I overlooked that.

I don't what has changed this morning, but I'm able to log into the plugin using username@domain.com but not email@domain.com. My test gmail account still gives me this error though. Closing the window (screenshot below) allows me to view the pdf.

I'm able to log in now using user@domain.com but not email@domain.com. I get the token error when I use email@domain.com. I would like to have this fixed but worst case I can tell my users to use user@domain.com

However, I'm still having an issue with my test external gmail account. I get an error "Selected user account does not exist in tenant 'Adobe Inc' and cannot access the application 'cad2910c-3b55-4610-ba7e-dda581063c91' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." If I close this window it opens up the pdf just fine and I can view it, but it doesn't go any further until I close the window.

This is an external user in my tenant and I have granted them permission to the application via the Azure portal. I'm not sure what the 'Adobe Inc' tenant in the error message means.

This is an issue for us because we need to be able to share protected documents with external users.

@Tim Lehmann , I am the PM at Microsoft. We will need to look at this issue in a little more depth. May I ask you open a ticket with Microsoft support please.@Steve Light - Can you keep an eye on this support request that may be coming your way. This is pertaining the MIP SDK.

@Kartik Kanakasabesan I have one opened with them since 1/8/19 did you want the ticket # or should I opened a new one? Because some of the issues in the details we have fixed, that way it will be more focused on the current issue.

@Kartik Kanakasabesan@Rajneesh_Chavli I have problem with the Office 365 authentication. In my tenant, some users use certificate to sign into Office 365 (authenticated by ADFS), and some other users sign in with Office 365 password (authenticated online by Office 365 - no MFA, no federation, no SSO, just plain default). When opening an AIP-protected .pdf file, the MIP plug-in works as expected, i.e. it asks users credential. After entering the email address and Office 365 password, the user authenticated by Office 365 could open the .pdf file. The problem is, the user authenticated with ADFS could not complete authentication, as the certificate prompt window doesn't show up.

@Kartik Kanakasabesan I do not even get the consent prompt. I enter my email and then I get redirected straight to the PDF content without showing any ribbon. Could you help me troubleshoot? Thank you much. Maria Y.

@Tim_Lehman Did you get that issue resolved when using external accounts to open protected PDF files?. I had the same issue when trying to open a PDF file on my personal laptop using an outlook.com address. When i try opening the same PDF file on a different laptop I get an error about not being able to read the network location (both laptops have the same OS, Adobe DC version, Plugin version).

I have not had my issue resolved yet. Microsoft had me reach out to Adobe, Adobe said there was a Microsoft Sync issue they were looking into. The "network location error" is a new for me, which I'm also getting this same error.

Any plan to support the new protected PDF format on mobile platform (Android, iOS)?

Also is there any documentation on the details of the new protected PDF format? For example, where is the publishing license and other metadata is stored etc. As a third party developer, we would like to be able to generate the new protected format from mobile devices. However, it looks like the new PDF format is only available on the desktop via the C++ SDK (IpcfEncryptFileStream etc)? Please let me know if I missed anything.

@Kartik Kanakasabesan I followed all instructions and I am able to open protected PDF files in the Adobe Reader DC, but PDF files encrypted using SharePoint online I am still not able to read them in the Adobe Reader. Still getting, This PDF file is protected. Could you let me know whether SPO AIP encrypted file are supported or not in the Adobe Reader DC? Or is there any additional step required?